Apparatus and method for embedding information for tamper detection and detecting tamper and recording medium having program for carrying out the method recorded thereon

ABSTRACT

An object of the present invention is to provide an information embedding/tamper detecting apparatus and method capable of distinguishing between changes caused by image processing and intentional image tampering, and further capable of localizing, on a regional basis, a tampered position on an image. A tamper-detection-information embedding apparatus  1  divides the image into a plurality of frequency bands to obtain transform coefficients, and then generates a pseudo-random number series by using key data, and further generates authentication data. The key data and the authentication data are embedded in the transform coefficients of MRA and MRR, respectively. the image in which the information is embedded is reconstructed by using MRA and MRR. A tamper-detecting apparatus  2  extracts the key data from MRA obtained by dividing the image into frequency bands and generates the authentication data assumed to have been embedded, and further extracts the embedded information from MRR. The image is divided in to a plurality of blocks composed of a predetermined number of pixels. For each block, an information series embedded in the transform coefficients of MRR representing the same spatial region as the unit block is compared, for verification, with the corresponding authentication data series so that the tamper is determined on a regional basis.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to an apparatus and a method for embeddinginformation for tamper detection and detecting tampering, and arecording medium having a program for carrying out the method recordedthereon. More specifically, the present invention relates to anapparatus for embedding authentication data for tamper detection in adigital image signal, extracting embedded data therefrom to detect anypartial change in the digital image and localizing its position, amethod carried out by the apparatus, and a recording medium having aprogram for carrying out the method recorded thereon.

2. Description of the Background Art

Recently, more and more information are available through the use of theInternet. Especially, WWW (World Wide Web) is being frequently used fortransmitting and receiving information including images and audio. Undersuch a network environment opened for everyone, however, an indefinitenumber of people can copy digital information such as an image withoutdifficulty. Further, the copied image can be easily edited or processedby image processing software available. Accordingly, there may be a casethat a recipient of the digital image is not aware of any tamperingtherewith that may have been made by a third party during thetransmission.

Therefore, immediate establishment is required of a technique capable ofdetermining whether the transmitted digital image has been tampered withor not. An electronic authentication technique has been conventionallyknown as one of the solutions.

FIG. 14 is a diagram explaining an outline of the procedure of aconventional electronic authentication.

A transmitting side subjects an original digital image to datacompression by a hash function to generate a digest of the digitalimage, and then encrypts the digest with a secret key predetermined bythe transmitting side. The transmitting side transmits the originaldigital image and the encrypted digest to a receiving side over thenetwork.

Similarly to the transmitting side, the receiving side first subjectsthe digital image received over the network to data compression by thehash function to generate a digest of the received digital image. Thereceiving side also decrypts the encrypted digest received over thenetwork with a public key predetermined by the transmitting side. Thereceiving side compares the digest generated from the digital image withthe decrypted digest. If the digests are identical with each other, thereceiving side determines that the digital image has not been tamperedwith, and if not identical, determines that the digital image has beentampered with (electronic authentication).

In the conventional electronic authentication, however, the transmittingside needs to transmit two types of data, i.e., the original digitalimage and the encrypted digest, to the receiving side. If there are manydigital images, the transmitting side indispensably needs to managewhich digest is for which digital image in order to correctly transmitsuch two types of data over the network.

To avoid such management in the electronic authentication, (i.e., toavoid transmission of two types of data), a digital watermarkingtechnique has been conventionally applied. The digital watermarking is atechnique for embedding digital information in digital image data in aninsensible form for human being. A typical prior art which relates tothe electronic authentication applying the digital watermarkingtechnique is disclosed in, for example, the document “PROCEEDINGS OF THEIEEE, VOL. 87, NO. 7, JULY 1999, pp. 1167 to 1180”.

Now, described is a case of applying the digital watermarking techniqueto the aforementioned electronic authentication using the digests.

The transmitting side generates a digest of a digital image only for apredetermined number of high-order bits of the digital image (pixels).Thereafter, the transmitting side encrypts the digest with a secret keypredetermined by a transmitting side, and embeds the encrypted digest inlow-order bits of the digital image. The transmitting side thentransmits the digest-embedded digital image to the receiving side overthe network.

The receiving side extracts the encrypted digest embedded in thelow-order bits of the digital image received over the network. Thereceiving side decrypts the extracted digest with a public keypredetermined by the transmitting side. The receiving side alsogenerates a digest, for verification, only for the predetermined numberof high-order bits of the received digital image. The receiving sidecompares the generated digest with the decrypted digest. If the digestsare identical with each other, the receiving side determines that thedigital image has not been tampered with, and if not identical,determines that the digital image has been tampered with.

With the conventional digital watermarking technique, however, it ispossible to know that the digital image has been changed during itstransmission, but can not localize the position that has been changed.

Further, with the conventional digital watermarking technique, specificinformation is embedded utilizing-high-frequency components which arenormally insensible to human eyes. For this reason, if the digital imageis subjected to irreversible image processing (compression anddecompression) such as JPEG after being embedded with the information,such information is varied, making it impossible to extract theinformation correctly. That means that distinction is not possiblebetween the tampering intentionally made by an unauthorized person andthe change unintentionally caused by the ordinary irreversible imageprocessing.

Still further, the high frequency components normally corresponds to anedge and texture part of an image. Accordingly, if the image is muchcomposed of a monotonous part (image with little contrast variation),the information is not evenly embedded in the image (screen). As aresult, a tampering with such monotonous part may not be detected.

SUMMARY OF THE INVENTION

Therefore, an object of the present invention is to provide an apparatusfor embedding information for tamper detection and detecting tamperingthat embeds specific information not only in high frequency componentsbut in an entire image, i.e., in transform coefficients of relativelylow frequency components, and later extracts the embedded information, amethod carried out by such apparatus, and a recording medium having aprogram for carrying out the method recorded thereon. Therefore, it ispossible to distinguish an intentional image tampering from a changeunintentionally caused by irreversible image processing and furtherlocalize a tampered position.

The present invention has the following features to achieve the objectabove.

A first aspect of the present invention is directed to an apparatus forembedding predetermined information for tamper detection in a digitalimage signal, comprising:

-   -   a band division portion for dividing the digital image signal        into a plurality of frequency bands;    -   an authentication data generation portion for generating a        pseudo-random number series by using predetermined key data, and        generating authentication data from the pseudo-random number        series;    -   a key data embedding portion for embedding the key data in        transform coefficients of a lowest frequency band (MRA) among        the plurality of frequency bands;    -   an authentication data embedding portion for embedding        authentication data in transform coefficients of the frequency        bands exclusive of MRA (MRR) among the plurality of frequency        bands; and    -   a band synthesis portion for reconstructing the digital image        signal in which the information has been embedded by using MRA        and MRR to which data embedding processing is subjected.

As described above, in the first aspect, a digital image signal ishierarchically divided into frequency bands, and then the authenticationdata is embedded in the transform coefficients of MRR. Theauthentication data is generated from a pseudo-random number series byusing the key data, and the key data is embedded in the transformcoefficients of MRA. As such, the information is embedded in thetransform coefficients of relatively low frequency components.Accordingly, if the image is subjected to an irreversible imageprocessing, variation in the embedded key data and authentication datais small comparing to that caused by the intentional image tampering. Itis therefore possible to distinguish between the changes caused by theirreversible image processing and the intentional image tampering in thetamper detecting apparatus. Further, in the first aspect, it is not easyfor a third party to decipher the authentication data because he/shedoes not know specifics of frequency bands and transform coefficients inwhich the information is embedded, the order of reading the transformcoefficients, and the key data, thereby preventing overwriting orreplacement of the embedded information.

Herein, as a preferable method of embedding the authentication data,

-   -   a set value T (T is a positive integer) and a set value m (m is        an integer not more than T) are predetermined and q is        predetermined as a value obtained by dividing a transform        coefficient is divided by a predetermined quantization step        size, and    -   the authentication data embedding portion embeds the        authentication data in each transform coefficient of MRR by        comparing an absolute value of the transform coefficient with        the set value T, and if the absolute value is less than the set        value T, setting the transform coefficient to the set value +m        or −m depending on a bit value of the authentication data to be        embedded, and if the absolute value is not less than the set        value T, setting the transform coefficient to an even or odd        integer nearest to the value q depending on the bit value of the        authentication data to be embedded.

In this manner, information can be embedded with high accuracy and withless deterioration in image quality.

A second aspect of the present invention is directed to an apparatus fordetecting tamper with a digital image based ontamper-detection-information embedded by a specific apparatus in adigital image signal, comprising:

-   -   a band division portion for dividing the digital image signal        into a plurality of frequency bands;    -   a key data extraction portion for extracting key data embedded        by the specific apparatus from transform coefficients of MRA        among the plurality of frequency bands;    -   an authentication data generation portion for generating a        pseudo-random number series by using the key data, and        generating authentication data from the pseudo-random number        series;    -   an embedded information extraction portion for extracting        embedded information embedded based on the key data by the        specific apparatus from transform coefficients of MRR among the        plurality of frequency bands; and    -   a tamper determination portion for comparing the embedded        information with the authentication data for verification and        determining whether the digital image has been tampered with.

Further, the tamper determination portion preferably comprises:

-   -   a block division portion for dividing the digital image into a        plurality of unit blocks each composed of a predetermined number        of pixels;        -   a regional embedded information read portion for reading,            for each of the unit blocks, embedded information embedded            in the transform coefficients of MRR that represents the            same spatial region as the unit block, serially from all of            the embedded information extracted by the embedded            information extraction portion;        -   a regional authentication data read portion for reading, for            each of the unit blocks, authentication data corresponding            in position to the embedded information serially read by the            regional embedded information read portion, serially from            all of the authentication data generated in the            authentication data generation portion; and        -   a block-tamper determination portion for comparing a series            of the embedded information serially read with a series of            the authentication data serially read and determining, for            each of the unit blocks, whether the digital image has been            tampered with.

As described above, in the second aspect, the digital image is dividedinto unit blocks each composed of a predetermined number of pixels. Foreach unit block, information embedded in the transform coefficients ofMRR that represents the same spatial region as the unit block is read.The read information is compared, for verification, with theauthentication data assumed to have been embedded in thetamper-detection-information embedding apparatus. In this way, thetampered position on the digital image can be localized on a regionalbasis of unit block. Further, in the tamper-detection-informationembedding apparatus, the information is embedded in the transformcoefficients of relatively low frequency components. Accordingly, if theimage is subjected to an irreversible image processing, variation in theembedded key data and authentication data is small comparing to thatcaused by the intentional image tampering. It is therefore possible todistinguish between the changes caused by the irreversible imageprocessing and the intentional image tampering.

Herein, as a preferable method of extracting the authentication data,

-   -   a set value T (T is a positive integer) is predetermined and q        is predetermined as a value obtained by dividing a transform        coefficient by a predetermined quantization step size and then        rounding off the result, and    -   the embedded information extraction portion extracts the        embedded information from each transform coefficient of MRR by        comparing an absolute value of the transform coefficient with        the set value T, and if the absolute value is less than the set        value T, determining whether a value of the transform        coefficient is positive or negative and extracting a bit value        of embedded information embedded in the transform coefficient        based on the determination, and if the absolute value is not        less than the set value T, determining whether the value q is        even or odd and extracting a bit value of embedded information        embedded in the transform coefficient based on the        determination.

In this manner, information can be extracted with high accuracy and withless deterioration in image quality.

A third aspect of the present invention is directed to a method ofembedding predetermined information for tamper detection in a digitalimage signal, comprising:

-   -   a step of dividing the digital image signal into a plurality of        frequency bands;    -   a step of generating a pseudo-random number series by using        predetermined key data, and generating authentication data from        the pseudo-random number series;    -   a step of embedding the key data in transform coefficients of        MRA among the plurality of frequency bands;    -   a step of embedding the authentication data in transform        coefficients of the frequency bands of MRR among the plurality        of frequency bands; and    -   a step of reconstructing the digital image signal in which the        information has been embedded by using MRA and MRR to which data        embedding processing is subjected.

As described above, in the third aspect, a digital image signal ishierarchically divided into frequency bands, and then the authenticationdata is embedded in the transform coefficients of MRR. Theauthentication data is generated from a pseudo-random number series byusing the key data, and the key data is embedded in the transformcoefficients of MRA. As such, the information is embedded in thetransform coefficients of relatively low frequency components.Accordingly, if the image is subjected to an irreversible imageprocessing, variation in the embedded key data and authentication datais small comparing to that caused by the intentional image tampering. Itis therefore possible to distinguish between the intentional imagetampering and the change unintentionally caused by irreversible imageprocessing when any tamper is detected. Further, in the third aspect, itis not easy for a third party to decipher the authentication databecause he/she does not know specifics of frequency bands and transformcoefficients in which the information is embedded, the order of readingthe transform coefficients, and the key data, thereby preventingoverwriting or replacement of the embedded information.

Herein, as a preferable method of embedding authentication data,

-   -   a set value T and a set value m are predetermined and q is        predetermined as a value obtained by dividing a transform        coefficient by a predetermined quantization step size, and    -   the step of embedding authentication data includes:        -   a step of comparing an absolute value of the transform            coefficient with the set value T;        -   a step of setting the transform coefficient to the set value            +m or −m depending on a bit value of the authentication data            to be embedded if the absolute value is less than the set            value T; and        -   a step of setting the transform coefficient to an even or            odd integer nearest to the value q depending on the bit            value of the authentication data to be embedded if the            absolute value is not less than the set value T.

In this manner, information can be embedded with high accuracy and withless deterioration in image quality.

A fourth aspect of the present invention is directed to a method ofdetecting tamper with a digital image based ontamper-detection-information embedded by a specific apparatus in adigital image signal, comprising:

-   -   a step of dividing the digital image signal into a plurality of        frequency bands;    -   a step of extracting key data embedded by the specific apparatus        from transform coefficients of MRA among the plurality of        frequency bands;    -   a step of generating a pseudo-random number series by using the        key data, and generating authentication data from the        pseudo-random number series;    -   a step of extracting embedded information embedded based on the        key data by the specific apparatus from transform coefficients        of MRR among the plurality of frequency bands; and    -   a step of comparing the embedded information with the        authentication data for verification and determining whether the        digital image has been tampered with.

Further, the step of determining tamper preferably includes:

-   -   a step of dividing the digital image into a plurality of unit        blocks each composed of a predetermined number of pixels;    -   a step of reading, for each of the unit blocks, embedded        information embedded in MRR that represents the same spatial        region as the unit block, serially from all of the embedded        information;    -   a step of reading, for each of the unit blocks, authentication        data corresponding in position to the embedded information        serially read, serially from all of the authentication data; and    -   a step of comparing a series of the embedded information        serially read with a series of the authentication data serially        read and determining, for each of the unit blocks, whether the        digital image has been tampered with.

As described above, in the fourth aspect, the digital image is dividedinto unit blocks each composed of a predetermined number of pixels. Foreach unit block, information embedded in the transform coefficients ofMRR that represents the same spatial region as the unit block is read.The read information is compared, for verification, with theauthentication data assumed to have been embedded when embedding theinformation. In this way, the tampered position on the digital image canbe localized on a regional basis of unit block. Further, when embeddingthe tamper-detection-information, the information is embedded in thetransform coefficients of relatively low frequency components.Accordingly, if the image is subjected to an irreversible imageprocessing, variation in the embedded key data and authentication datais small comparing to that caused by the intentional image tampering. Itis therefore possible to distinguish between the changes caused by theirreversible image processing and the intentional image tampering.

Herein, as a preferable method of extracting the authentication data,

-   -   a set value T is predetermined and q is predetermined as a value        obtained by dividing a transform coefficient by a predetermined        quantization step size and then rounding off the result, and    -   the step of extracting embedded information includes:        -   a step of comparing an absolute value of the transform            coefficient with the set value T;        -   a step of determining whether a value of the transform            coefficient is positive or negative if the absolute value is            less than the set value T, and extracting a bit value of            embedded information embedded in the transform coefficient            based on the determination;        -   a step of determining whether the value q is even or odd if            the absolute value is not less than the set value T, and            extracting a bit value of embedded information embedded in            the transform coefficient based on the determination.

In this manner, information can be extracted with high accuracy and withless deterioration in image quality.

Furthermore, the tamper-detection-information embedding/tamper detectingmethod described in the above third and fourth aspects is typicallyrealized by a computer device structured by a storage device (ROM, RAM,hard disk, etc.) storing predetermined program data capable of carryingout each of the above described steps and a CPU executing the programdata. The program data may also be supplied to the computer device via astorage medium (CD-ROM, floppy disk, etc.).

These and other objects, features, aspects and advantages of the presentinvention will become more apparent from the following detaileddescription of the present invention when taken in conjunction with theaccompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing the structure of atamper-detection-information embedding apparatus 1 according to oneembodiment of the present invention.

FIG. 2 is a block diagram showing the structure of a tamper detectingapparatus 2 according to the embodiment of the present invention.

FIG. 3 is a flowchart showing the processing carried out by thetamper-detection-information embedding apparatus 1 in FIG. 1.

FIG. 4 is a block diagram exemplarily showing the structure of a banddivision portion 11 in FIG. 1.

FIG. 5 is a block diagram exemplarily showing the detailed structure ofa first band dividing filter 100 in FIG. 4.

FIG. 6 is a diagram illustrating, in a two-dimensional frequency region,signals subjected to discrete wavelet transform.

FIG. 7 is a flowchart showing the processing carried out by anauthentication data embedding portion 14 in FIG. 1.

FIG. 8 is a block diagram exemplarily showing the structure of a bandsynthesis portion 15 in FIG. 1.

FIG. 9 is a diagram exemplarily showing the structure of a first bandsynthesis filter 400 in FIG. 8.

FIG. 10 is a flowchart showing the processing carried out by the tamperdetecting apparatus 2 in FIG. 2.

FIG. 11 is a flowchart exemplarily showing the processing carried out byan embedded information extraction portion 23 in FIG. 2.

FIG. 12 is a diagram schematically showing transform coefficients of LH3and LH2 signals representing the same spatial region as a block of 32 by32 pixel size.

FIG. 13 is a diagram exemplarily explaining a computation under XOR.

FIG. 14 is a diagram explaining an outline procedure of a conventionalelectronic authentication.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 1 is a block diagram showing the structure of an apparatus 1 forembedding information for tamper detection (hereinafter, referred to astamper-detection-information embedding apparatus 1) according to oneembodiment of the present invention. FIG. 2 is a block diagram showingthe structure of a tamper detecting apparatus 2 according to theembodiment of the present invention.

In FIG. 1, the tamper-detection-in-formation embedding apparatus 1includes a band division portion 11, an authentication data generationportion 12, a key data embedding portion 13, an authentication dataembedding portion 14, and a band synthesis portion 15. In FIG. 2, thetamper detecting apparatus 2 includes the band division portion 11, akey data extraction portion 21, a key data determination portion 22, theauthentication data generation portion 12, an embedded informationextraction portion 23, a regional embedded information read portion 24,a regional authentication data read portion 25, and a block-tamperdetermination portion 26.

The band division portion 11 and the authentication data generationportion 12 of the tamper detecting apparatus 2 are structurally the sameas those of the tamper-detection-information embedding apparatus 1, andtherefore, are provided with the same reference numerals and descriptionthereof is omitted.

Hereinafter, by further referring to FIGS. 3 to 13, described is theprocedural flow of a method for detecting tamper with a digital imagewhich is carried out by the tamper-detection-information embeddingapparatus 1 and the tamper detecting apparatus 2 according to theembodiment.

First, by referring to FIGS. 1 and 3 to 9, a method of embeddinginformation which is carried out by the tamper-detection-informationembedding apparatus 1 is described.

FIG. 3 is a flowchart showing processing carried out by thetamper-detection-information embedding apparatus 1 of the embodiment.

Described by referring to FIGS. 4 to 6 is processing carried out by theband division portion 11 that subjects a digital image signal toconventional discrete wavelet transform to divide a band of the signalinto three hierarchies. FIG. 4 is a block diagram exemplarily showingthe detailed structure of the band division portion 11 in FIG. 1. InFIG. 4, the band division portion 11 is provided with first to thirdband dividing filters 100, 200, and 300, all of which are identical instructure.

Each of the first to third band dividing filters 100 to 300 divides anincoming image signal into four frequency bands and obtains waveletcoefficients (hereinafter, referred to as transform coefficients) forevery frequency band (step S301). Here, the transform coefficients maybe equivalently obtained by sub-band division. The first band dividingfilter 100 of the band division portion 11 receives a digital imagesignal 71.

The first band dividing filter 100 divides the digital image signal 71into four signals varied in bands, i.e., a signal LL1, signal LH1,signal HL1, and signal HH1 (hereinafter, collectively referred to asfirst hierarchical signal), on the basis of parameters of horizontal andvertical frequency components. The second band dividing filter 200receives only the signal LL1 which has the lowest band in the firsthierarchical signal, and then again divides the signal into four signalsvaried in bands, i.e., a signal LL2, signal LH2, signal HL2, and signalHH2 (hereinafter, collectively referred to as second hierarchicalsignal). Then, the third band dividing filter 300 receives only thesignal LL2 which has the lowest band in the second hierarchical signal,and again divides the signal into four signals varied in bands, i.e., asignal LL3, signal LH3, signal HL, and signal HH3 (hereinafter,collectively referred to as third hierarchical signal).

FIG. 5 is a block diagram exemplarily showing the structure of the firstband dividing filter 100 in FIG. 4. In FIG. 5, the first band dividingfilter 100 is provided with first to third two-band division portions101 to 103. These first to third two-band division portions 101 to 103are provided with one-dimensional low-pass filters (LPF) 111 to 113,one-dimensional high-pass filters (HPF) 121 to 123, and down-samplers131 to 133 for LPFs and down-samplers 141 to 143 for HPFs for decimatingthe signal at a ratio of 2:1, respectively.

The first two-band division portion 101 receives the digital imagesignal 71, filters any horizontal component thereof through both the LPF111 and HPF 121, and then generates two signals. Thereafter, the firsttwo-band division portion 101 decimates the filtered signals at a ratioof 2:1, respectively, by using the down-samplers 131 and 141, and thenoutputs the signals to the next stage. The second two-band divisionportion 102 receives the signal from the down-sampler 131, and thenfilters any vertical component thereof through both the LPF 112 and HPF122. Then, the second two-band division portion 102 decimates thefiltered signals at a ratio of 2:1, respectively, by using thedown-samplers 132 and 142, and then outputs two signals as signals LL1and LH1. The third two-band division portion 103 receives the signalfrom the down-sampler 141, and then filters any vertical componentthereof through both the LPF 113 and HPF 123. Then, the third two-banddivision portion 103 decimates the signals at a ratio of 2:1,respectively, by using the down-samplers 133 and 143, and then outputstwo signals as signals HL1 and HH1.

In this way, the first band dividing filter 100 outputs four signals,i.e., the signal LL1 low in both horizontal and vertical components, thesignal LH1 low in horizontal but high in vertical, the signal HL1 highin horizontal but low in vertical, and the signal HH1 high in both.Here, from the four signals outputted, transform coefficientsconstituting each signal are obtained. The second and third banddividing filters 200 and 300 each carry out processing similar to theabove for the incoming signals.

As a result of the band dividing processing carried out by the abovedescribed first to third band dividing filters 100 to 300, the digitalimage signal 71 is divided into 10 signals varied in bands, that is, thesignals LL3, LH3, HL3, HH3, LH2, HL2, HH2, LH1, HL1, and HH1. FIG. 6 isa diagram illustrating these ten signals in a two-dimensional frequencyregion. Herein, the signal LL3 lowest in the frequency band is referredto as MRA (Multi-Resolution Approximation), and the other signals LH3,HL3, HH3, LH2, HL2, HH2, LH1, HL1, and HH1, are referred to as MRR(Multi-Resolution Representation).

In FIG. 6, the vertical axis represents a vertical frequency component,which becomes higher as is directed downward, and the horizontal axisrepresents a horizontal frequency component, which becomes higher as isdirected rightward.

Each divided area in FIG. 6 is representing data in one frame of image,and a ratio between area sizes is equivalent to that between the numberof data in the band signals. In detail, in a case where the number ofdata in the signals LL3, LH3, HL3, and HH3 as the third hierarchicalsignal is “1”, the number of data in the signals LH2, HL2, and HH2 asthe second hierarchical signal is “4 (2 by 2 in size)”, and the numberof data in the signals LH1, HL1, and HH1 as the first hierarchicalsignal is “16 (4 by 4 in size)”.

For example, if one piece of data shown at the top-left of the LL3signal area is for a certain number of pixels on the original image, thesame number of pixels is represented by one piece of data shown at thetop-left of each of the LH3, HL3, and HH3 signal areas. Similarly, thesame number of pixels is represented by four pieces of data shown at thetop-left of each of the LH2, HL2, and HH2 signal areas, and by sixteenpieces of data in the LH1, HL2, and HH1 signal areas, respectively(square portion filled in black in each signal area in FIG. 6).Therefore, in the drawing, 64 pieces of pixel data (8 by 8 in size) onthe digital image signal (shown at the top-left) represents the samespatial region as that represented by the transform coefficients whichare shown as black squares in all frequency bands.

Next, the authentication data generation portion 12 generates apseudo-random number series by using a predetermined key data, and thengenerates authentication data from the pseudo-random number series (stepS302). To be specific, the authentication data generation portion 12determines whether the each of the real numbers in the generatedpseudo-random number series is positive or negative, and if positive,regards a bit value as “1”, and if negative, regards a bit value as “0”to generate the authentication data. For example, authentication data ADis generated from a pseudo-random number series PN in the followingmanner.

-   -   PN={0.12, −0.23, −1.21, 0.23, 1.1, −0.34, 0.01, −0.51, . . . ,        −0.33}    -   AD={1, 0, 0, 1, 1, 0, 1, 0, . . . , 0}

The key data exemplarily includes information such as an initial value,a type of function for generation of a pseudo-random number series, anda bit length thereof. For simplification, in the present embodiment,assume that the key data is a value represented by the data length of8-bit. Further, in the following explanation, it is assumed that theauthentication data is a bit stream composed of binary bit values of “1”and “0”.

The key data is essential information for data embedment, and is alsoused for data extraction in the tamper detecting apparatus 2. It istherefore requested to determine, in advance, the key data between thetamper-detection-information embedding apparatus 1 and the tamperdetecting apparatus 2.

Next, the key data embedding portion 13 reads the transform coefficientsof MRA in the image signal divided by the band division portion 11 in apredetermined order, and then embeds the key data in the transformcoefficients with a predetermined method (step S303). Among variousmethods available for this embedment, the method disclosed in JapanesePatent Laid-Open Publication No. 11-196262 (1999/196262), which wasproposed (applied) by the inventors of the present invention, achievesembedment with high accuracy and with less distortion in image quality.In the method, q is assumed to be a value obtained by dividing atransform coefficient by quantization step size Q, and is set to anearest even or odd integer depending on a bit value of key datacorresponding to the transform coefficient, thereby enabling theembedding of the key data.

Note that the predetermined order for reading the transform coefficientsof MRA is essential information for data embedment, and is also used forkey data extraction in the tamper detecting apparatus 2. Here, the keydata may be converted to digital information being encrypted forembedment. Alternatively, it is possible to add an error correction codeto the key data before embedment. Further, if the number of bits ofembedding digital information is smaller than the number of transformcoefficients of MRA, every bit of the digital information is onceembedded, and then the same bits are embedded again starting from thefirst bit.

Next, processing carried out by the authentication data embeddingportion 14 in FIG. 1 (step S304) is described by referring to FIG. 7,which is a flowchart exemplarily showing the processing.

The authentication data embedding portion 14 reads transformcoefficients Wi of the signal LH3 in FIG. 4 in a predetermined orderfrom MRR of the image signal divided in the band division portion 11(step S701). The authentication data embedding portion 14 thendetermines whether or not an absolute value |Wi| of the read transformcoefficient is not less than a predetermined set value T (step S702).

If the absolute value |Wi| is less than the set value T in step S702,the authentication data embedding portion 14 sets the transformcoefficient Wi to a predetermined value +m or −m depending on a bitvalue of authentication data corresponding to the transformcoefficient(step S703). Herein, the value m can be set at will as longas it is not more than the set value T. The smaller the value m is, thebetter the deterioration in image quality becomes, but the less theprotection against an external attack becomes. The larger the value mis, the better the protection against an external attack becomes, butthe worse the deterioration in the image quality becomes due to theincrease in amount of variation of transform coefficient. The value mthus may be appropriately set depending on the use of the apparatus andthe level of the digital signal treated thereby. On the other hand, ifthe absolute value |wi| is not less than the set value T in step S702,the authentication data embedding portion 14 sets, similarly to the keydata embedding portion 13, q to a nearest even or odd integer dependingon the bit value of authentication data corresponding to the transformcoefficient (step S704). Here, q is assumed to be a value obtained bydividing a transform coefficient by quantization step size Q.

In this way, bit values of the authentication data are embedded in thetransform coefficients Wi, and thereby data-embedded transformcoefficients Wi′ are generated.

After completing the above processing for the signal LH3, theauthentication data embedding portion 14 reads the transformcoefficients Wi of the signal LH2 in a predetermined order, and thenrepeats the processing in steps S701 to S704.

Note that, although the processing is carried out first for thetransform coefficients of the signal LH3 and then for the signal LH2 inthis example, the order may be inverted. Further, the authenticationdata is not necessarily embedded in all transform coefficients Wi of thesignals LH3 and LH2, but may be embedded alternately in vertical andhorizontal directions (refer explanation for the tamper detectingapparatus 2, which will be described later). In this manner, thedeterioration in image quality caused by information embedment can bereduced.

The order in which the signals LH2 and LH3 are treated and thepredetermined order for reading the transform coefficients thereof areessential information for data embedment, and are also used for dataextraction in the tamper detecting apparatus 2. Further, the set value Tused for comparison may be set differently for the transformcoefficients of the signal LH2 and the signal LH3. The set value T forthe signal LH3 is preferably set smaller than that for the signal LH2.For example, the set value T is predetermined as “7” for the signal LH3signal and as “10” for the LH2 signal, and the value m is predeterminedas “2”.

Next, by referring to FIGS. 8 and 9, processing carried out by the bandsynthesis portion 15 is described.

FIG. 8 is a block diagram exemplarily showing the structure of the bandsynthesis portion 15 in FIG. 1. In FIG. 8, the band synthesis portion 15is provided with first to third band synthesis filters 400, 500, and600, all of which are identical in structure.

These first to third band synthesis filters 400, 500, and 600 eachreceive the four signals varied in frequency bands, and then synthesizesthe signals to output as one signal (step S305). The first bandsynthesis filter 400 receives the signals LL3, LH3, HL3, and HH3, andthen synthesizes these signals to generate the signal LL2. The secondband synthesis filter 500 receives the signals LL2, LH2, HL2, and HH2,and then synthesizes these signals to generate the signal LL1.Thereafter, the third band synthesis filter 600 receives the signalsLL1, LH1, HL1, and HH1, and then synthesizes these signals toreconstruct a digital image signal 72.

FIG. 9 is a block diagram exemplarily showing the structure of the firstband synthesis filter 400 in FIG. 8. In FIG. 9, the first band synthesisfilter 400 is provided with first to third two-band synthesis portions401 to 403. These first to third two-band synthesis portions 401 to 403are provided with LPFs 411 to 413, HPFs 421 to 423, and up-samplers 431to 433 for LPFs and up-samplers 441 to 443 for HPFs for inserting zeroto the signal at a ratio of 2:1, and adders 451 to 453, respectively.

The first two-band synthesis portion 401 receives the signals LL3 andLH3, and then converts the signals into signals twice in magnitude byusing the up-samplers 431 and 441, respectively. Then, the verticalcomponent of the converted two signals is filtered through the LPF 411and HPF 421, respectively, and then the filtered two signals are addedfor output. The second band synthesis portion 402 receives the signalsHL3 and HH3, and then converts the signals into signals twice inmagnitude by using the up-samplers 432 and 442, respectively.Thereafter, the vertical component of the converted two signals isfiltered through the LPF 412 and HPF 422, respectively, and then thefiltered two signals are added together for output. The third two-bandsynthesis portion 403 receives outputs from the adders 451 and 452, andthen respectively converts the outputs into signals twice in magnitudeby using the up-samplers 433 and 443. Then, horizontal component of theconverted two signals is filtered through the LPH 413 and HPF 423,respectively and then the filtered two signals are added together foroutput.

Accordingly, the first band synthesis filter 400 outputs the signal LL2low in both horizontal and vertical components, that is, the secondhierarchical signal. The second and third band synthesis filters 500 and600 each carry out processing similar to the above for the incomingsignals. In this way, the band synthesis portion 15 reconstructs 10frequency band signals LL3, LH3, HL3, HH3, LH2, HL2, HH2, LH1, HL1, andHH1 to the digital image signal 72 to which embedment has been done.

Next, by referring to FIGS. 2 and 10 to 13, described is a method oftamper detection which is carried out by the tamper detecting apparatus2 according to the embodiment.

FIG. 10 is a flowchart showing processing carried out by the tamperdetecting apparatus 2 of the embodiment.

In FIG. 2, the band division portion 11 receives a digital image signal73. The digital image signal 72 outputted from the band synthesisportion 15 of the tamper-detection-information embedding apparatus 1becomes the digital image signal 73 due to compression/decompression ortampering during its transmission. The band division portion 11 subjectsthe received digital image signal 73 to discrete wavelet transform todivide the same into 10 signals varied in frequency bands, i.e., signalsLL3, LH3, HL3, HH3, LH2, HL2, HH2, LH1, HL1, and HH1, and obtainstransform coefficients for every signal (step S1001).

Next, the key data extraction portion 21 reads the transformcoefficients of MRA in the image signal 73 divided by the band divisionportion 11 in the same order in which the transform coefficients areread by the key data embedding portion 13 of thetamper-detection-information embedding apparatus 1, and then extractsthe key data embedded in the signal (step S1002). Among various methodavailable for this extraction, the method disclosed in the abovedescribed publication applied by the inventors of the present inventionachieves extraction with high accuracy and with less distortion in imagequality. In the method, q is assumed to be a value obtained by dividinga transform coefficient by quantization step size Q and then roundingoff the result. A bit value of the embedded key data is extracted basedon the determination whether q is an odd or even number.

The key data determination portion 22 determines, for verification,whether or not the key data extracted by the key data extraction portion21 is identical to the key data used by the tamper-detection-informationembedding apparatus 1 (step S1003). The determination is carried out bycomparing the key data extracted in the key data extraction portion 21with the key data previously held therein as that used in thetamper-detection-information embedding apparatus 1. Herein, if aplurality of key data is used by the tamper-detection-informationembedding apparatus 1, the key data determination portion 22correspondingly holds the same data for comparison.

In step S1003, if the extracted key data is determined as identical tothe key data previously held, the key data determination portion 22carries out processing from step S1004 and onwards. On the other hand,if the extracted key data is determined as not identical, the key datadetermination portion 22 determines that the digital image signal 73 hasbeen tampered with (step S1011).

The key data determination portion 22 is not an indispensable componentto the tamper detecting apparatus 2. In the present invention, however,such determination for verifying the key data improves reliability ofthe tamper detecting apparatus 2 in detection of a tampering with thedigital image. The key data determination portion 22 is thereforepreferably used in view of making the tamper detecting apparatus 2 morepreferable in practical use.

The authentication data generation portion 12 generates, in the abovedescribed manner, a pseudo-random number series by using the key datapreviously held therein as the key data used by thetamper-detection-information embedding apparatus 1. The key dataincludes information such as an initial value, a type of function forgeneration of the pseudo-random number series, and a bit length thereof.The authentication data generation portion 12 then generatesauthentication data K from the pseudo-random number series (step S1004).

Next, processing carried out by the embedded information extractionportion 23 in FIG. 2 (step S1005) is described by referring to FIG. 11,which is a flowchart exemplarily showing the processing.

The embedded information extraction portion 23 reads the transformcoefficients Wi of the signals LH3 and LH2 from MRR of the digital imagesignal 73 divided in the band division portion 11. Here, the transformcoefficients Wi are read in the same order in which those are read bythe authentication data embedding portion 14 of thetamper-detection-information embedding apparatus 1. To be specific, thetransform coefficients Wi are read in the order of signal LH3 and thenthe signal LH2, and also in the predetermined order within each signal(step S1101). The embedded information extraction portion 23 thendetermines whether or not the absolute value |Wi| of the read transformcoefficient is not less than the predetermined set value T (step S1102).

If the absolute value |Wi| is less than the set value T in step S1102,the embedded information extraction portion 23 further determineswhether the value of the transform coefficient Wi is positive ornegative. Based on the determination, the embedded informationextraction portion 23 extracts a bit value of the information embeddedin each transform coefficient (step S1103). On the other hand, if theabsolute value |Wi| is not less than the set value T in step S1102, theembedded information extraction portion 23 extracts a bit value of theinformation embedded in each coefficient with the similar method carriedout by the key data extraction portion 21 (step S1104). In the method, qis assumed to be a value obtained by dividing a transform coefficient byquantization step size Q and then rounding off the result. A bit valueof the information embedded in each transform coefficient is extractedbased on the determination whether q is an odd number or even number.

By completing the above processing, the embedded information extractionportion 23 extracts embedded information D which is composed of theinformation embedded in each transform coefficient (step S1005). Theembedded information D corresponds to the authentication data assumed tohave been embedded in the tamper-detection-information embeddingapparatus 1.

Next, by referring to FIG. 12, processing carried out by the regionalembedded information read portion 24 and the regional authenticationdata read portion 25 is described. In FIG. 12, the top-left dotted areashows a block serving as a unit for determining whether or not anytamper exists in the digital image signal 73 (hereinafter, referred toas unit block). Here, the size of the unit block is exemplarily 32 by 32pixels. Further, in FIG. 12, with respect to the signals LH3 and LH2,transform coefficients representing the same spatial region as the unitblock are shown in the frames drawn with the thick line. As is evidentfrom the drawing, if the size of the unit block is 32 by 32 pixels forthe digital image signal 73, corresponding block sizes for the signalsLH3 and LH2 are 4 by 4 pixels and 8 by 8 pixels, respectively.

Note that the unit block size herein (32 by 32 pixels) is one example,and can be arbitrarily set depending on how small or large a unit(region) for determining the tamper is.

Now, the description is exemplarily made for a case where the transformcoefficients of the signals LH3 and LH2 are read alternately in verticaland horizontal directions. In this case, information has been embeddedin the same manner by the tamper-detection-information embeddingapparatus 1. In this example, embedded information corresponding to theunit block of 32 by 32 pixels is 4 pieces of data in the signal LH3 and16 pieces of data in the signal LH2 (filled-in-black portions in FIG.12).

Accordingly, the regional embedded information read portion 24 readssuch 20 pieces of information from the embedded information D extractedin the embedded information extraction portion 23 as embeddedinformation BD corresponding to the unit block of 32 by 32 pixels (stepS1006).

Similarly, the regional authentication data read portion 25 reads 20pieces of authentication data corresponding in position to the embeddedinformation BD from the authentication data K generated in theauthentication data generation portion 12 as authentication data BKcorresponding to the unit block of 32 by 32 pixels (step S1007).

Assume, for example, that the embedded information BD and theauthentication data BK respectively read by the regional embeddedinformation read portion 24 and the regional authentication data readportion 25 are

-   -   BD={1, 0, 1, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 0, 1, 0, 1}    -   BK={1, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 1}

Here, in comparison between both, the second, fourth, twelfth, andfourteenth bits differ in value from each other.

Next, in the block-tamper determination portion 26, the bits at the samepositional order in the embedded information BD and the authenticationdata BK are XORed, and then a sum total S of the XORed values iscomputed (step S1008). FIG. 13 is a diagram exemplarily showing acomputation under the XOR. The result of the computation becomes “1”when both bits differ in value from each other and becomes “0” when bothare the same in value. The block-tamper determination part 26 comparesthe total sum S with a predetermined set value BT so as to determinewhether a partial image corresponding to the unit block (in the example,32 by 32 pixels) has been tampered with or not (step S1009).

For example, the block-tamper determination portion 26 determines thatthe image has been tampered with if the total sum S is not less than theset value BT, and has not been tampered with if the total sum S is lessthan the set value BT. The set value BT can be predetermined at willdepending on how strictly the tamper determination is made. In suchmanner, the intentional image tampering and the change caused by theirreversible image processing can be distinguished from each other.

In the above exemplified embedded information BD and the authenticationdata BK, the bit values differ from each other in the four positions. Asa result, the total sum S computed is “4”. If the set value BT ispredetermined as “3”, the total sum S is not less than the set value BT.Accordingly, the unit block is determined to have been tampered with.

The XOR computing carried out in the block-tamper determination portion26 may take a reverse logic. That is, “0” is computed when both bitsdiffer in value from each other and “1” when both are the same in value.In this case, the block-tamper determination portion 26 determines thatthe block has been tampered with if the total sum S is less than the setvalue BT, and not have been tampered with if not less. Instead of thetotal sum S of the XORed values, the number of or an inner product ofbits that coincide with each other between the embedded information BDand the authentication data BK may be computed. Further alternatively,it is possible to substitute “−1” for “0” in the embedded information BDand the authentication data BK, and then compute an inner productthereof.

Based on the determination in step S1009, the tamper detecting apparatus2 stores in memory (not shown) or outputs to a display (not shown)either information that the unit block (within 32 by 32 pixels) has beentampered with or has not been tampered with (steps S1010, S1011).

The tamper detecting apparatus 2 repeats the processing in steps S1006to S1009 for all unit blocks to detects the position of the tamperedportion on the digital image.

As described above, according to the embodiment of the presentinvention, in the tamper-detection-information embedding apparatus 1, adigital image signal is hierarchically divided into three bands, andthen the authentication data is embedded in the transform coefficientsof the signals LH3 and LH2 of MRR. The authentication data is generatedfrom a pseudo-random number series by using the key data, and the keydata is embedded in the transform coefficients of MRA. In the tamperdetecting apparatus 2, the digital image is divided into unit blockseach composed of a predetermined number of pixels. For each unit block,information embedded in the transform coefficients of MRR thatrepresents the same spatial region as the unit block is read. The readinformation is compared, for verification, with the authentication dataassumed to have been embedded in the tamper-detection-informationembedding apparatus 1.

In this way, the tamper detecting apparatus 2 can localize the tamperedposition on the digital image on a regional basis of unit block.Further, in the tamper-detection-information embedding apparatus 1, theinformation is embedded in the transform coefficients of relatively lowfrequency components. Accordingly, even if the irreversible imageprocessing is performed, variation in the embedded key data andauthentication data is small comparing to that caused by the intentionalimage tampering. It is therefore possible to distinguish between thechanges caused by the irreversible image processing and the intentionalimage tampering. Still further, according to atamper-detection-information embedding method and a tamper detectingmethod of the present invention, it is not easy for a third party todecipher the authentication data because he/she does not know specificsof frequency bands and transform coefficients in which the informationis embedded, the order of reading the transform coefficients, and thekey data, thereby preventing overwriting or replacement of the embeddedinformation.

The number of hierarchies obtained by discrete wavelet transform carriedout in the band division portion 11 of the embodiment is not limited tothree. The signal can be divided into more hierarchies until the signalLL reaches a 1 by 1 element. Further, bands for embedding theauthentication data is not limited to the signals LH3 and LH2, but maybe other bands among MRR or all bands of MRR. Even in these cases, theorder in which the bands are subjected to processing should bepredetermined.

Note, however, the authentication data is preferably embedded only inthe transform coefficients of the signals in deeper hierarchies in orderto make the most of the usable effects of the present invention.Specifically in FIG. 4, it is most preferable to embed theauthentication data in some or all of the signals LH3 and HL3 as beingthe third hierarchical signal and/or the signals LH2 and HL2 as beingthe second hierarchical signal.

Further, in the above described embodiment, the authentication dataembedding portion 14 sequentially embeds the authentication data in eachof the transform coefficients read in a predetermined order. For alltransform coefficients of MRR that represents the same spatial region asthe unit block, however, the same authentication data may be repeatedlyembedded.

Still further, if the key data is embedded after encryption using apublic key or common key in the tamper-detection-information embeddingapparatus 1 of the above described embodiment and the informationencrypted and embedded is decrypted in the tamper detecting apparatus 2,the public key or common key to be used should be predetermined betweenthe apparatuses.

The features achieved by the tamper-detection-information embeddingapparatus 1 and the tamper detecting apparatus 2 of the above describedembodiment are typically realized by a storage device (ROM, RAM, harddisk, etc.) storing predetermined program data and a CPU executing theprogram data. The program data may also be supplied via a storage medium(CD-ROM, floppy disk, etc.).

While the invention has been described in detail, the foregoingdescription is in all aspects illustrative and not restrictive. It isunderstood that numerous other modifications and variations can bedevised without departing from the scope of the invention.

1. A tamper-detection-information embedding apparatus for embeddingpredetermined information for tamper detection in a digital imagesignal, said apparatus comprising: a band division portion operable todivide the digital image signal into a plurality of frequency bands; anauthentication data generation portion operable to generate apseudo-random number series by using predetermined key data, and togenerate authentication data from the pseudo-random number series; a keydata embedding portion operable to embed the key data in transformcoefficients of a lowest frequency band (hereinafter, referred to asMRA) among the plurality of frequency bands; an authentication dataembedding portion operable to embed the authentication data in transformcoefficients of the frequency bands exclusive of the MRA (hereinafter,referred to as MRR) among the plurality of frequency bands; and a bandsynthesis portion operable to reconstruct the digital image signal inwhich the information has been embedded by using the MRA and the MRR towhich data embedding processing is subjected, wherein a set value T anda set value m are predetermined and q is predetermined as a valueobtained by dividing a transform coefficient by a predeterminedquantization step size, wherein said authentication data embeddingportion embeds the authentication data in each transform coefficient ofthe MRR by comparing an absolute value of the transform coefficient withthe set value T, and if the absolute value is less than the set value T,setting the transform coefficient to the set value +m or −m depending ona bit value of the authentication data to be embedded, and if theabsolute value is not less than the set value T, setting the transformcoefficient to an even or odd integer nearest to the value q dependingon the bit value of the authentication data to be embedded, and whereinT is a positive integer and m is an integer not more than T.
 2. A tamperdetecting apparatus for detecting tamper with a digital image based ontamper-detection-information embedded by a specific apparatus in adigital image signal, said tamper detecting apparatus comprising: a banddivision portion operable to divide the digital image signal into aplurality of frequency bands; a key data extraction portion operable toextract key data embedded by the specific apparatus from transformcoefficients of a lowest frequency band (hereinafter, referred to asMRA) among the plurality of frequency bands; an authentication datageneration portion operable to generate a pseudo-random number series byusing the key data, and to generate authentication data from thepseudo-random number series; an embedded information extraction portionoperable to extract embedded information embedded based on the key databy the specific apparatus from transform coefficients of the frequencybands exclusive of the MRA (hereinafter, referred to as MRR) among theplurality of frequency bands; and a tamper determination portionoperable to compare the embedded information with the authenticationdata for verification and to determine whether the digital image hasbeen tampered with, wherein a set value T is predetermined and q ispredetermined as a value obtained by dividing a transform coefficient bya predetermined quantization step size and then rounding off the result,wherein said embedded information extraction portion extracts theembedded information from each transform coefficient of the MRR bycomparing an absolute value of the transform coefficient with the setvalue T, and if the absolute value is less than the set value T,determining whether a value of the transform coefficient is positive ornegative and extracting a bit value of embedded information embedded inthe transform coefficient based on the determination, and if theabsolute value is not less than the set value T, determining whether thevalue q is even or odd and extracting a bit value of embeddedinformation embedded in the transform coefficient based on thedetermination, and wherein T is a positive integer.
 3. A tamperdetecting apparatus for detecting tamper with a digital image based ontamper-detection-information embedded by a specific apparatus in adigital image signal, said tamper detecting apparatus comprising: a banddivision portion operable to divide the digital image signal into aplurality of frequency bands; a key data extraction portion operable toextract key data embedded by the specific apparatus from transformcoefficients of a lowest frequency band (hereinafter, referred to asMRA) among the plurality of frequency bands; an authentication datageneration portion operable to generate a pseudo-random number series byusing the key data, and to generate authentication data from thepseudo-random number series; an embedded information extraction portionoperable to extract embedded information embedded based on the key databy the specific apparatus from transform coefficients of the frequencybands exclusive of the MRA (hereinafter, referred to as MRR) among theplurality of frequency bands; and a tamper determination portionoperable to compare the embedded information with the authenticationdata for verification and to determine whether the digital image hasbeen tampered with, wherein said tamper determination portion comprises:a block division portion operable to divide the digital image into aplurality of unit blocks each composed of a predetermined number ofpixels, a regional embedded information read portion operable to read,for each of the unit blocks, embedded information embedded in thetransform coefficients of the MRR that represents the same spatialregion as the unit block, serially from all of the embedded informationextracted by said embedded information extraction portion; a regionalauthentication data read portion operable to read, for each of the unitblocks, authentication data corresponding in position to the embeddedinformation serially read by said regional embedded information readportion, serially from all of the authentication data generated by saidauthentication data generation portion; and a block-tamper determinationportion operable to compare the embedded information serially read withthe authentication data serially read and to determine, for each of theunit blocks, whether the digital image has been tampered with, wherein aset value T is predetermined and q is predetermined as a value obtainedby dividing a transform coefficient by a predetermined quantization stepsize and then rounding off the result, wherein said embedded informationextraction portion extracts the embedded information from each transformcoefficient of the MRR by comparing an absolute value of the transformcoefficient with the set value T, and if the absolute value is less thanthe set value T, determining whether a value of the transformcoefficient is positive or negative and extracting a bit value ofembedded information embedded in the transform coefficient based on thedetermination, and if the absolute value is not less than the set valueT, determining whether the value q is even or odd and extracting a bitvalue of embedded information embedded in the transform coefficientbased on the determination, and wherein T is a positive integer.
 4. Atamper-detection-information embedding method of embedding predeterminedinformation for tamper detection in a digital image signal, said methodcomprising: dividing the digital image signal into a plurality offrequency bands; generating a pseudo-random number series by usingpredetermined key data, and generating authentication data from thepseudo-random number series; embedding the key data in transformcoefficients of a lowest frequency band (hereinafter, referred to asMRA) among the plurality of frequency bands; embedding theauthentication data in transform coefficients of the frequency bandsexclusive of the MRA (hereinafter referred to as MRR) among theplurality of frequency bands; and reconstructing the digital imagesignal in which the information has been embedded by using the MRA andthe MRR to which data embedding processing is subjected, wherein a setvalue T and a set value m are predetermined and q is predetermined as avalue obtained by dividing a transform coefficient by a predeterminedquantization step size, wherein embedding authentication data includescomparing an absolute value of the transform coefficient with the setvalue T; setting the transform coefficient to the set value +m or −mdepending on a bit value of the authentication data to be embedded ifthe absolute value is less than the set value T, and setting thetransform coefficient to an even or odd integer nearest to the value qdepending on the bit value of the authentication data to be embedded ifthe absolute value is not less than the set value T, and wherein T is apositive integer and m is an integer not more than T.
 5. A tamperdetecting method of detecting tamper with a digital image based ontamper-detection-information embedded by a specific apparatus in adigital image signal, said method comprising: dividing the digital imagesignal into a plurality of frequency bands; extracting key data embeddedby the specific apparatus from transform coefficients of a lowestfrequency band (hereinafter, referred to as MRA) among the plurality offrequency bands; generating a pseudo-random number series by using thekey data, and generating authentication data from the pseudo-randomnumber series; extracting embedded information embedded based on the keydata by the specific apparatus from transform coefficients of thefrequency bands exclusive of the MRA (hereinafter, referred to as MRR)among the plurality of frequency bands; and comparing the embeddedinformation with the authentication data for verification anddetermining whether the digital image has been tampered with, wherein aset value T is predetermined and q is predetermined as a value obtainedby dividing a transform coefficient by a predetermined quantization stepsize and then rounding off the result, wherein said extracting embeddedinformation includes comparing an absolute value of the transformcoefficient with the set value T, determining whether a value of thetransform coefficient is positive or negative if the absolute value isless than the set value T, and extracting a bit value of embeddedinformation embedded in the transform coefficient based on thedetermination, and determining whether the value q is even or odd if theabsolute value is not less than the set value T, and extracting a bitvalue of embedded information embedded in the transform coefficientbased on the determination, and wherein T is a positive integer.
 6. Atamper detecting method of detecting tamper with a digital image basedon tamper-detection-information embedded by a specific apparatus in adigital image signal, said method comprising: dividing the digital imagesignal into a plurality of frequency bands; extracting key data embeddedby the specific apparatus from transform coefficients of a lowestfrequency band (hereinafter, referred to as MRA) among the plurality offrequency bands; generating a pseudo-random number series by using thekey data, and generating authentication data from the pseudo-randomnumber series; extracting embedded information embedded based on the keydata by the specific apparatus from transform coefficients of thefrequency bands exclusive of the MRA (hereinafter, referred to as MRR)among the plurality of frequency bands; comparing the embeddedinformation with the authentication data for verification anddetermining whether the digital image has been tampered with; dividingthe digital image into a plurality of unit blocks each composed of apredetermined number of pixels; reading, for each of the unit blocks,embedded information embedded in the transform coefficients of the MRRthat represents the same spatial region as the unit block, serially fromall of the embedded information; reading, for each of the unit blocks,authentication data corresponding in position to the embeddedinformation serially read, serially from all of the authentication data;and comparing a series of the embedded information serially read with aseries of the authentication data serially read and determining, foreach of the unit blocks, whether the digital image has been tamperedwith, wherein a set value T is predetermined and q is predetermined as avalue obtained by dividing a transform coefficient by a predeterminedquantization step size and then rounding off the result, wherein saidextracting embedded information includes comparing an absolute value ofthe transform coefficient with the set value T, determining whether avalue of the transform coefficient is positive or negative if theabsolute value is less than the set value T, and extracting a bit valueof embedded information embedded in the transform coefficient based onthe determination, and determining whether the value q is even or odd ifthe absolute value is not less than the set value T, and extracting abit value of embedded information embedded in the transform coefficientbased on the determination, and wherein T is a positive integer.
 7. Arecording medium on which a program having computer device readableinstructions to be run on a computer device is recorded for carrying outa tamper-detection-information embedding method of embeddingpredetermined information for tamper detection in a digital imagesignal, the computer device readable instructions including instructionscapable of instructing a computer device to perform the methodcomprising: dividing the digital image signal into a plurality offrequency bands; generating a pseudo-random number series by usingpredetermined key data, and generating authentication data from thepseudo-random number series; embedding the key data in transformcoefficients of a lowest frequency band (hereinafter, referred to asMRA) among the plurality of frequency bands; embedding theauthentication data in transform coefficients of the frequency bandsexclusive of the MRA (hereinafter referred to as MRR) among theplurality of frequency bands; and reconstructing the digital imagesignal in which the information has been embedded by using the MRA andthe MRR to which data embedding processing is subjected, wherein a setvalue T and a set value m are predetermined and q is predetermined as avalue obtained by dividing a transform coefficient by a predeterminedquantization step size, wherein said embedding authentication dataincludes: comparing an absolute value of the transform coefficient withthe set value T, setting the transform coefficient to the set value +mor −m depending on a bit value of the authentication data to be embeddedif the absolute value is less than the set value T, and setting thetransform coefficient to an even or odd integer nearest to the value qdepending on the bit value of the authentication data to be embedded ifthe absolute value is not less than the set value T, and wherein T is apositive integer and m is an integer not more than T.
 8. A recordingmedium on which a program having computer device readable instructionsto be run on a computer device is recorded for carrying out a tamperdetecting method of detecting tamper with a digital image based ontamper-detection-information embedded by a specific apparatus in adigital image signal, the computer device readable instructionsincluding instructions capable of instructing a computer device toperform the method comprising: dividing the digital image signal into aplurality of frequency bands; extracting key data embedded by thespecific apparatus from transform coefficients of a lowest frequencyband (hereinafter, referred to as MRA) among the plurality of frequencybands; generating a pseudo-random number series by using the key data,and generating authentication data from the pseudo-random number series;extracting embedded information embedded based on the key data by thespecific apparatus from transform coefficients of the frequency bandsexclusive of the MRA (hereinafter referred to as MRR) among theplurality of frequency bands; and comparing the embedded informationwith the authentication data for verification and determining whetherthe digital image has been tampered with, wherein a set value T ispredetermined and q is predetermined as a value obtained by dividing atransform coefficient is divided by a predetermined quantization stepsize and then rounding off the result, wherein said extracting embeddedinformation includes comparing an absolute value of the transformcoefficient with the set value T, determining whether a value of thetransform coefficient is positive or negative if the absolute value isless than the set value T, and extracting a bit value of embeddedinformation embedded in the transform coefficient based on thedetermination, and determining whether the value q is even or odd if theabsolute value is not less than the set value T, and extracting a bitvalue of embedded information embedded in the transform coefficientbased on the determination, and wherein T is a positive integer.
 9. Arecording medium on which a program having computer device readableinstructions to be run on a computer device is recorded for carrying outa tamper detecting method of detecting tamper with a digital image basedon tamper-detection-information embedded by a specific apparatus in adigital image signal, the computer device readable instructionsincluding instructions capable of instructing a computer device toperform the method comprising: dividing the digital image signal into aplurality of frequency bands; extracting key data embedded by thespecific apparatus from transform coefficients of a lowest frequencyband (hereinafter, referred to as MRA) among the plurality of frequencybands; generating a pseudo-random number series by using the key data,and generating authentication data from the pseudo-random number series;extracting embedded information embedded based on the key data by thespecific apparatus from transform coefficients of the frequency bandsexclusive of the MRA (hereinafter, referred to as MRR) among theplurality of frequency bands; comparing the embedded information withthe authentication data for verification and determining whether thedigital image has been tampered with, dividing the digital image into aplurality of unit blocks each composed of a predetermined number ofpixels; reading, for each of the unit blocks, embedded informationembedded in the transform coefficients of the MRR that represents thesame spatial region as the unit block, serially from all of the embeddedinformation; reading, for each of the unit blocks, authentication datacorresponding in position to the embedded information serially read,serially from all of the authentication data; and comparing a series ofthe embedded information serially read with a series of theauthentication data serially read and determining, for each of the unitblocks, whether the digital image has been tampered with, wherein a setvalue T is predetermined and q is predetermined as a value obtained bydividing a transform coefficient by a predetermined quantization stepsize and then rounding off the result, wherein said extracting embeddedinformation includes comparing an absolute value of the transformcoefficient with the set value T, determining whether a value of thetransform coefficient is positive or negative if the absolute value isless than the set value T, and extracting a bit value of embeddedinformation embedded in the transform coefficient based on thedetermination, and determining whether the value q is even or odd if theabsolute value is not less than the set value T, and extracting a bitvalue of embedded information embedded in the transform coefficientbased on the determination, and wherein T is a positive integer.